The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Thursday, October 30, 2014

Annual Report to Parliament on the Privacy Act tabled for 2013-2014

The Office of the Privacy Commissioner of Canada has released its annual report on the Privacy Act, Canada's federal public sector privacy legislation, for 2013-2014. The report was tabled by our new Commissioner, Daniel Therrien, but relates to a period under the leadership of former Commissioner Jennifer Stoddart and Interim Commissioner Chantal Bernier.

Not surprisingly, the RCMP and surveillance of telecommunications customers loom large in the report. The summary provided in the accompanying press release gives a good overview:

News Release

Annual Report:

RCMP review highlights need for better record keeping

Privacy Commissioner’s latest annual report highlights a review which identified shortcomings in how the Royal Canadian Mounted Police (RCMP) monitors and reports on its collection of subscriber data from telecommunications companies without a warrant.

OTTAWA, October 30, 2014 – The results of a review of the RCMP’s warrantless access requests to telecommunications companies have prompted the Privacy Commissioner to call on federal institutions to ensure they properly document these types of requests.

The Office of the Privacy Commissioner of Canada (OPC) launched its review to determine whether the RCMP had appropriate controls in place to ensure its collection of this type of personal information from companies without a warrant was in compliance with the Privacy Act.

“We were disappointed to find that limitations in the RCMP’s information management systems meant we were unable to assess whether such controls were in place,” says Commissioner Therrien.

“It was not possible to determine how often the RCMP collected subscriber data without a warrant. Nor could we assess whether such requests were justified.”

The results of the review are included in the Commissioner’s 2013-2014 Annual Report on the Privacy Act tabled in Parliament today. The report also includes information related to other privacy and surveillance issues, including Beyond the Border initiatives and metadata; and discusses key investigations and complaint and data breach trends.

The review was closed after senior officials at the RCMP informed the OPC that, in the wake of a landmark Supreme Court of Canada decision, the organization would ensure its practices were in line with the ruling.

The OPC has recommended that the RCMP implement a means to monitor and report on warrantless requests for subscriber information.

“We are pleased that the RCMP has agreed to implement this recommendation,” says Commissioner Therrien. “While this review was focused on the RCMP, the recommendation calling for proper record keeping around such requests is one that other federal government organizations should also follow.

“Canadians understand that law enforcement and national security agencies have legitimate needs to collect personal information. Transparency is critical to accountability and will help to increase trust. Canadians want and deserve to have a clearer picture of how, when and why federal institutions are collecting personal information,” the Commissioner said.

“We would also encourage all federal departments and agencies not already doing so to take steps to ensure that all requests for subscriber data respect the Supreme Court of Canada’s recent decision in R. v. Spencer. The clear implication from this critically important decision for privacy is that government institutions must carefully evaluate their processes for obtaining information to ensure compliance with the Charter. The Supreme Court was clear in the Spencer decision that, absent exigent circumstances or a reasonable law providing lawful authority, government agencies must obtain prior judicial authorization in order to obtain subscriber data linked to anonymous online activities.”

Metadata Analysis

The annual report notes that the OPC has also completed a technical and legal primer on metadata – the data trail generated each time someone uses a mobile device, computer, telephone or other technologies.

Metadata and Privacy: a Technical and Legal Overview

The paper, made public today, concludes that organizations should not underestimate what metadata can reveal about an individual. Given the ubiquitous nature of metadata and the powerful inferences that can be drawn about specific individuals, government institutions and private-sector organizations will have to govern their collection and disclosure activities according to appropriate processes and standards that are commensurate with the potential level of sensitivity of metadata in any given set of circumstances.

Beyond the Border Initiatives

The annual report also notes that, over the last year, the OPC saw a trend towards an increased collection of personal information at borders and an expansion of the sharing and uses of such information. A large part stems from the entry/exit program – an initiative developed under the Canada-U.S. Beyond the Border perimeter security agreement. Initial phases have involved the exchange of entry information between Canada and the U.S. of third country nationals and permanent residents crossing land borders. The program will be expanded to include Canadian and U.S. citizens.

The OPC has already raised a number of questions with respect to the program.

Plans for the next phases of the entry/exit program contemplate not only collecting exit data from all travellers, but using that personal information for wider purposes. This includes sharing it with federal institutions. The OPC has recommended that each of these expanded uses be demonstrated as necessary and effective, be undertaken in the least privacy-invasive manner possible and be designed so any loss of privacy is in proportion to a substantial societal benefit.

The OPC expects to receive Privacy Impact Assessments (PIAs) for proposed new uses of personal information from the entry/exit program in the coming year. PIAs are an important tool and bring real value to organizations because they help to both identify and mitigate privacy risks.

Data Breaches

For the third consecutive year, the number of data breaches voluntarily reported to the OPC by federal institutions reached a record high. It is unclear whether there were actually more breaches or whether more departments and agencies chose to report them.

There were 228 reported data breaches in 2013-2014 across the federal government, more than double the 109 reported a year earlier.

Future annual reports should provide better information about the extent of serious federal government data breaches thanks to a recent change to the Treasury Board’s Directive on Privacy Practices. Federal institutions are now required to report all material data breaches.

Complaints

Year over year, complaints to the OPC have grown in both volume and complexity.

In 2013-2014, the Office accepted 1,777 complaints under the Privacy Act. This was lower than the previous year, which was unusually high due to more than 1,000 complaints related to two major data breaches at Employment and Social Development Canada (ESDC). If complaints associated with those breaches are not counted, there would be a year-over-year increase of approximately 700 complaints. That figure includes 339 complaints relating to a single issue at Health Canada.

ESDC Investigation

In March 2014, the OPC tabled in Parliament a special report on an investigation into ESDC’s loss of an external hard drive containing the personal information of almost 600,000 student loan recipients.

Our annual report summarizes the results of an investigation into another breach involving the disappearance of a USB key containing the personal information of more than 5,000 Canada Pension Plan Disability appellants. The USB key, which was being used by a Justice Department employee, disappeared from an ESDC office. It was neither password-protected nor encrypted, nor was it ever found. As in the breach involving the loss of a hard drive, the investigation found weaknesses in key privacy management controls.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.